Enterprises (e.g., corporations, partnerships, governments, academic institutions, other organizations, etc.) face continuously increasing risks of malicious attacks waged against their computer networks and assets. Some enterprises have mitigated the risks of unauthorized access to their enterprise resources by implementing strong password policies across their organizations. The password policies typically forced enterprise users to create and maintain a myriad of passwords to access enterprise resources and to regularly change those passwords. However, these password policies have not been without their share of problems. Most enterprise users ended up creating passwords that were easy for them to remember but were vulnerable to brute force, dictionary, or social engineering attacks. Additionally, users tended to forget or misplace these passwords, leading to issues when attempting to access enterprise resources.
In order to address some of the issues with password policies, some enterprises have augmented their network and computer security procedures to include deployment and maintenance of Personal Identity Verification (PIV) cards or Common Access Card (CAC) cards (a CAC card is a PIV card issued by the U.S. Department of Defense). The advantages to the enterprise of these cards are at least two-fold. First, the cards are designed to provide two-factor authentication: physical possession of the card and a personal identification number (PIN) known only to the owner of the card. Second, the cards allow an enterprise to generate and assign derived credentials to an enterprise user. The term “derived credentials” may refer to cryptographic credentials that may be derived from those in a PIV or CAC card and may be stored in a computing device rather than on the card. Through the use of these cards, the enterprise, and not the enterprise user, can control the derived credentials that provide access to resources and the lifecycle and/or lifetime of the derived credentials. An enterprise can create, assign, change, deprecate, or revoke derived credentials as the enterprise determines necessary to protect their enterprise resources. Stated differently, an enterprise user might not need to know the passwords needed to access enterprise resources; rather, the enterprise user might only need to insert their PIV or CAC card into a card reader and enter their PIN.
With the emergence of a newer generation of computing devices and in particular with mobile computing devices, the use of PIV and CAC cards has proved challenging. PIV and CAC cards are geared towards traditional computing devices (e.g., desktop and laptop computers) with which the card readers can be easily integrated. Mobile devices lack the integrated smart card readers found in laptop and desktop computers and require separate card readers attached to devices to provide authentication services from the device. Typically, enterprise PIV or CAC card users must authenticate and present their card every instance in which they require a new derived credential. Accordingly, the user experience of generating derived credentials with a PIV or CAC card on a mobile computing device results in negating most of the portability and mobility advantages that the mobile computing devices provide.
The magnitude and complexity of the situation is further increased by the current trend towards BYOD—bring your own device. BYOD environments allow enterprise users to provide their own devices, such as mobile phones, smartphones, tablets, laptops, personal computers, or other electronic devices, for work purposes in addition to the computer resources provided by the enterprise. However, BYOD scenarios pose inherent security risks to the enterprise because the enterprise typically lacks uniform and full control over each employee-provided device, and because many enterprise users may resist integrating card readers to their personal mobile computing devices.
In a BYOD world, enterprise mobility management (EMM) solutions are emerging as a popular way to assist in the management and control of remote access to enterprise resources from personal devices. EMM solutions have traditionally taken the approach of managing mobile computing devices through what are known as mobile device management (MDM) services and mobile application management (MAM) services. Mobile device management policies control mobile computing devices using access control and monitoring technologies. Mobile application management policies deliver enterprise software to mobile computing devices and administer that software. These policies support the incorporation of various security features, including geo-fencing features, remote wipe features, application isolation features, and data vault encryption features. While these EMM solutions increase the security of using personal devices to access enterprise resources, these solutions are also bound to only increase the number of credentials required to access the enterprise resources. Typically, enterprise users must know and enter their usernames and network or directory services password or they must provide a one-time password (OTP) generated by the EMM server. Furthermore, some EMM solutions may rely on the credentials stored on a PIV or CAC card for identification and authentication, which results in the enterprise user having to provide their PINT or CAC card every time they wish to access enterprise resources.